port=3389 listens on v4 or v6 but not both

[reukiodo]

The default port=3389 listens to either 0.0.0.0:3389 or {::}:3389 but not both, against intuition. The default should listen to both v4 and v6 when both are enabled on the server.

On v4-only systems, xrdp always listens on 0.0.0.0:3389. On v6-only systems, xrdp always listens on {::}:3389. On a system with both v4 and v6 enabled and using default config, it seems to randomly select one or the other, not both on reboot.

Attempting to workaround manually to configure both such as port=tcp://:3389 tcp6://:3389 fails to start I'm assuming due to #1450 or something similar:

root@control-tower:~# service xrdp status
● xrdp.service - xrdp daemon
     Loaded: loaded (/lib/systemd/system/xrdp.service; enabled; vendor preset: enabled)
     Active: failed (Result: exit-code) since Tue 2023-05-02 17:15:58 PDT; 2min 52s ago
       Docs: man:xrdp(8)
             man:xrdp.ini(5)
    Process: 757 ExecStartPre=/bin/sh /usr/share/xrdp/socksetup (code=exited, status=0/SUCCESS)
    Process: 767 ExecStart=/usr/sbin/xrdp $XRDP_OPTIONS (code=exited, status=1/FAILURE)
        CPU: 55ms

May 02 17:15:58 control-tower xrdp[767]: (767)(140517289674560)[INFO ] listening to port 3389 on ::
May 02 17:15:58 control-tower xrdp[767]: (767)(140517289674560)[INFO ] address [0.0.0.0] port [3389] mode 4
May 02 17:15:58 control-tower xrdp[767]: (767)(140517289674560)[INFO ] listening to port 3389 on 0.0.0.0
May 02 17:15:58 control-tower xrdp[767]: (767)(140517289674560)[ERROR] trans_listen_address failed
May 02 17:15:58 control-tower xrdp[767]: (767)(140517289674560)[DEBUG] Closed socket 8 (AF_INET 0.0.0.0:0)
May 02 17:15:58 control-tower xrdp[767]: (767)(140517289674560)[DEBUG] Closed socket 7 (AF_INET6 :: port 3389)
May 02 17:15:58 control-tower xrdp[767]: (767)(140517289674560)[ERROR] Failed to start xrdp daemon, possibly address already in use.
May 02 17:15:58 control-tower systemd[1]: xrdp.service: Control process exited, code=exited, status=1/FAILURE
May 02 17:15:58 control-tower systemd[1]: xrdp.service: Failed with result 'exit-code'.
May 02 17:15:58 control-tower systemd[1]: Failed to start xrdp daemon.
root@control-tower:~# 

[matt335672]

There are quite a few wrinkles in the V0.9.x IP stack which will get sorted out in the lifetime of the next major build. I thought this was probably one of these at first, but now I don't think it is an issue at all.

I've just run up a v0.9 devel build:-

 xrdp -v
Argument 0 - xrdp
Argument 1 - -v
xrdp 0.9.21.1
  A Remote Desktop Protocol Server.
  Copyright (C) 2004-2020 Jay Sorg, Neutrino Labs, and all contributors.
  See https://github.com/neutrinolabs/xrdp for more information.

  Configure options:
      --enable-devel-all
      --enable-fuse
      --enable-pixman
      --enable-ipv6
      --enable-painter
      --enable-jpeg
      --with-imlib2
      --enable-vsock
      --with-freetype2
      CC=clang
      CFLAGS=-g

  Compiled with OpenSSL 3.0.2 15 Mar 2022

I've got port=3389 in the config file.

Then:-

$ sudo journalctl -u xrdp -S today
May 03 09:37:26 <hostname> systemd[1]: Starting xrdp daemon...
May 03 09:37:27 <hostname> xrdp[1625]: [INFO ] [xrdp_listen_process_startup_params(xrdp_listen.c:679)] address [0.0.0.0] port [3389] mode 1
May 03 09:37:27 <hostname> xrdp[1625]: [INFO ] [xrdp_listen_process_startup_params(xrdp_listen.c:688)] listening to port 3389 on 0.0.0.0
May 03 09:37:27 <hostname> xrdp[1625]: [INFO ] [xrdp_listen_process_startup_params(xrdp_listen.c:674)] xrdp_listen_pp done

and

$ sudo ss -alp 'sport = 3389'
Netid           State             Recv-Q            Send-Q                       Local Address:Port                                Peer Address:Port           Process           
tcp             LISTEN            0                 2                                        *:ms-wbt-server                                  *:*               users:(("xrdp",pid=1630,fd=11))

On another machine:-

$ nmap -4 -p 3389 <hostname>
Starting Nmap 7.80 ( https://nmap.org ) at 2023-05-03 09:38 BST
Nmap scan report for <hostname> (<IP4addr>)
Host is up (0.0019s latency).
Other addresses for <hostname> (not scanned): <IP6addr>

PORT     STATE SERVICE
3389/tcp open  ms-wbt-server

Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds

and

$ nmap -6 -p 3389 <hostname>
Starting Nmap 7.80 ( https://nmap.org ) at 2023-05-03 09:38 BST
Nmap scan report for <hostname> (<IP6addr>)
Host is up (0.0018s latency).
Other addresses for <hostname> (not scanned): <IP6addr>

PORT     STATE SERVICE
3389/tcp open  ms-wbt-server

Nmap done: 1 IP address (1 host up) scanned in 0.04 seconds

So it all looks OK here.

The discrepancy could be:-

1. xrdp version?
2. Relying on the log file you tell you what's happening rather than using nmap maybe?

Or something else I can't think of!

Let me know what you find.

[reukiodo]

root@control-tower:~# aptitude -y install xrdp
xrdp is already installed at the requested version (0.9.12-1.1)
xrdp is already installed at the requested version (0.9.12-1.1)
No packages will be installed, upgraded, or removed.
0 packages upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
Need to get 0 B of archives. After unpacking 0 B will be used.

root@control-tower:~# xrdp -v
xrdp 0.9.12
  A Remote Desktop Protocol Server.
  Copyright (C) 2004-2018 Jay Sorg, Neutrino Labs, and all contributors.
  See https://github.com/neutrinolabs/xrdp for more information.

  Configure options:
      --enable-ipv6
      --enable-jpeg
      --enable-fuse
      --enable-rfxcodec
      --enable-opus
      --enable-painter
      --enable-vsock
      --build=x86_64-linux-gnu
      --prefix=/usr
      --includedir=${prefix}/include
      --mandir=${prefix}/share/man
      --infodir=${prefix}/share/info
      --sysconfdir=/etc
      --localstatedir=/var
      --disable-silent-rules
      --libdir=${prefix}/lib/x86_64-linux-gnu
      --libexecdir=${prefix}/lib/x86_64-linux-gnu
      --disable-maintainer-mode
      --disable-dependency-tracking
      --with-socketdir=/run/xrdp/sockdir
      build_alias=x86_64-linux-gnu
      CFLAGS=-g -O2 -fdebug-prefix-map=/build/xrdp-ftEFny/xrdp-0.9.12=. -fstack-protector-strong -Wformat -Werror=format-security 
      LDFLAGS=-Wl,-z,relro -Wl,-z,now -Wl,--as-needed
      CPPFLAGS=-Wdate-time -D_FORTIFY_SOURCE=2 
      PKG_CONFIG_PATH=/build/xrdp-ftEFny/xrdp-0.9.12/pkgconfig

  Compiled with OpenSSL 1.1.1n  15 Mar 2022
root@control-tower:~# 

For now I've set port=tcp://:3389 because we still have some v4-only clients and I can't get it to listen on both v4 and v6 at the same time.

[reukiodo]

Ah, I now notice that debian's package is quite a few versions behind - stuck in 2019!

[matt335672]

That's not it.

I've got a v0.9.12 build here:-

$ xrdp -v
Argument 0 - xrdp
Argument 1 - -v
xrdp 0.9.12
  A Remote Desktop Protocol Server.
  Copyright (C) 2004-2018 Jay Sorg, Neutrino Labs, and all contributors.
  See https://github.com/neutrinolabs/xrdp for more information.

  Configure options:
      --enable-xrdpdebug
      --enable-fuse
      --enable-pixman
      --enable-ipv6
      --enable-painter
      --enable-jpeg
      --with-imlib2
      --enable-vsock
      --with-freetype2
      --enable-neutrinordp
      CC=gcc
      CFLAGS=-g -fvar-tracking -Wl,-z,now

  Compiled with OpenSSL 3.0.2 15 Mar 2022

I've got a simple port=3389 in xrdp.ini.

Both interfaces are being listened on.

Check the output of sudo ss -alp 'sport = 3389' so we can try to determine where the problem lies.

[matt335672]

@reukiodo - do you need any more input into this?

[reukiodo]

2023-05-17 13:36:09 root@control-tower:~# nano /etc/xrdp/xrdp.ini 
2023-05-17 13:36:39 root@control-tower:~# service xrdp restart
2023-05-17 13:36:44 root@control-tower:~# ss -alp 'sport = 3389'
Netid          State           Recv-Q          Send-Q                   Local Address:Port                            Peer Address:Port         Process         
tcp            LISTEN          0               2                                    *:ms-wbt-server                              *:*             users:(("xrdp",pid=38009,fd=11))
2023-05-17 13:36:57 root@control-tower:~#

[reukiodo]

I changed the xrdp.ini back to the port=3389 and restarted the service. Perhaps it is because I am using a Mac and the Microsoft Remote Desktop client and connecting through a VPN...? I just don't understand why it works when xrdp.ini is configured specifically for port=tcp://:3389 and not the default port=3389.

[matt335672]

Sorry @reukiodo - I'm missing some information.

From what I can see from that version of the code, port=tcp://:3389 will listen in V4 and port=3389 will listen on all interfaces. Is that not what ss -alp 'sport = 3389' is telling you? In your post above you seem to be listening on all interfaces. What is port set to?

Also, you mention a VPN. This may well be giving you routing issues.

1. Are you sure BOTH ends are set up to route both IPv4 and IPv6 over the VPN?
2. Are traceroute commands for v4 and v6 showing end-to-end connectivity?
3. is the VPN terminated on your xrdp machine, or elsewhere?
4. Are A and AAAA DNS name queries resolving to the expected addresses from the client?

As I mentioned earlier, you can use nmap from the client to see if the server appears to be listening on a particular interface. This may answer some of the VPN queries.

Suggest you check the server is behaving as I think it is by using ss -alp 'sport = 3389'. If it is, there's a networking issue to investigate. If it's not, I'm not understanding the problem here.

[reukiodo]

It seems a simple service restart is not enough and I was able to connect to 3389 on ipv4 after a full reboot with default port=3389 config.

[matt335672]

That seems odd.

The behaviour of xrdp itself won't be affected by a reboot, but other system-level features might be (IP addresses, routing, etc).

Possible reasons off the top of my head:-

1. DHCP lease for IPv4 address expired.
2. System name registered with dynamic DNS expired.

Since this is unexplained it may well happen again. If it does, please repost here and we can look into it. If not, I'll close this in a couple of weeks.

[reukiodo]

The system had both static IPv4 configured as well as static DNS, so not likely to be a DNS/resolution/IP issue. I'll throw this one up as undefined and close for now. If I can replicate with another server I'll let you know, though it seems that a reboot will likely resolve after installation.